Missing Password Field Masking Affecting sudo-rs package, versions >=0.2.7 <0.2.10

Q: How to fix?

Upgrade sudo-rs to version 0.2.10 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-SUDORS-13925186
published13 Nov 2025
disclosed12 Nov 2025
creditThomas Geiger

Report a new vulnerability Found a mistake?

Introduced: 12 Nov 2025

NewCVE-2025-64170 (opens in a new tab) CWE-549 (opens in a new tab)

How to fix?

Upgrade sudo-rs to version 0.2.10 or higher.

Overview

Affected versions of this package are vulnerable to Missing Password Field Masking via the password input. An attacker can obtain partial password input by waiting for a timeout to occur after a user begins entering their password but does not press return, causing the entered keystrokes to be echoed back to the console.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Physical
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
Passive

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None